helm-charts
helm-charts copied to clipboard
Published
20 hours ago •
stevehipwell
stevehipwell
VPA: 'bad certificate' error when using cert-manger self-signed cert
I'm trying to use the vpa chart with a cert-manger certificate. The recommender and update appear to work fine, but the admission controller does't seem to start the web hook properly, producing a bad certificate error. As far as I able to tell the generated certificate looks like it has been correctly generated, but clearly something is amiss that is beyond my ability to debug. I'm not sure if this is an issue with the chart or with VPA itself, but hopefully you can point me in the right direction! Many thanks
Admission Deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "3"
creationTimestamp: "2024-09-11T17:13:36Z"
generation: 3
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/component-instance: vertical-pod-autoscaler-admission-controller
app.kubernetes.io/instance: vertical-pod-autoscaler
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vertical-pod-autoscaler
app.kubernetes.io/version: 1.2.1
argocd.argoproj.io/instance: vertical-pod-autoscaler
helm.sh/chart: vertical-pod-autoscaler-1.7.1
name: vertical-pod-autoscaler-admission-controller
namespace: kube-system
resourceVersion: "25725578"
uid: 1d05aed9-accb-4b1d-9486-16d8403f6040
spec:
progressDeadlineSeconds: 600
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: vertical-pod-autoscaler
app.kubernetes.io/name: vertical-pod-autoscaler
strategy:
rollingUpdate:
maxSurge: 25%
maxUnavailable: 25%
type: RollingUpdate
template:
metadata:
annotations:
kubectl.kubernetes.io/restartedAt: "2024-09-15T08:42:19+01:00"
creationTimestamp: null
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/instance: vertical-pod-autoscaler
app.kubernetes.io/name: vertical-pod-autoscaler
spec:
containers:
- args:
- --v=5
- --port=8000
- --address=:8944
- --register-webhook=false
- --client-ca-file=/etc/tls-certs/ca.crt
- --tls-cert-file=/etc/tls-certs/tls.crt
- --tls-private-key=/etc/tls-certs/tls.key
- --reload-cert
env:
- name: NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: registry.k8s.io/autoscaling/vpa-admission-controller:1.2.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 10
httpGet:
path: /health-check
port: http-metrics
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: admission-controller
ports:
- containerPort: 8000
name: http
protocol: TCP
- containerPort: 8944
name: http-metrics
protocol: TCP
readinessProbe:
failureThreshold: 10
httpGet:
path: /health-check
port: http-metrics
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/tls-certs
name: tls-certs
readOnly: true
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
fsGroup: 65534
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
serviceAccount: vertical-pod-autoscaler-admission-controller
serviceAccountName: vertical-pod-autoscaler-admission-controller
terminationGracePeriodSeconds: 30
volumes:
- name: tls-certs
secret:
defaultMode: 420
secretName: vertical-pod-autoscaler-admission-controller-cert
status:
availableReplicas: 1
conditions:
- lastTransitionTime: "2024-09-11T17:13:43Z"
lastUpdateTime: "2024-09-11T17:13:43Z"
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
- lastTransitionTime: "2024-09-11T17:13:36Z"
lastUpdateTime: "2024-09-15T08:01:36Z"
message: ReplicaSet "vertical-pod-autoscaler-admission-controller-67f87bf7f5"
has successfully progressed.
reason: NewReplicaSetAvailable
status: "True"
type: Progressing
observedGeneration: 3
readyReplicas: 1
replicas: 1
updatedReplicas: 1
This is my values.yaml:
#updater:
# extraArgs:
# - "--min-replicas=1"
logLevel: 5
admissionController:
certManager:
enabled: true
extraArgs:
- "--reload-cert"
The certificate issuer:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
creationTimestamp: "2024-09-11T17:13:37Z"
generation: 1
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/component-instance: vertical-pod-autoscaler-admission-controller
app.kubernetes.io/instance: vertical-pod-autoscaler
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vertical-pod-autoscaler
app.kubernetes.io/version: 1.2.1
argocd.argoproj.io/instance: vertical-pod-autoscaler
helm.sh/chart: vertical-pod-autoscaler-1.7.1
name: vertical-pod-autoscaler-admission-controller-cert
namespace: kube-system
resourceVersion: "21981204"
uid: af501a24-83a1-4a45-b7b9-8a8fd99b1657
spec:
selfSigned: {}
status:
conditions:
- lastTransitionTime: "2024-09-11T17:13:37Z"
observedGeneration: 1
reason: IsReady
status: "True"
type: Ready
The generated certificate:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
creationTimestamp: "2024-09-11T17:13:37Z"
generation: 1
labels:
app.kubernetes.io/component: admission-controller
app.kubernetes.io/component-instance: vertical-pod-autoscaler-admission-controller
app.kubernetes.io/instance: vertical-pod-autoscaler
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: vertical-pod-autoscaler
app.kubernetes.io/version: 1.2.1
argocd.argoproj.io/instance: vertical-pod-autoscaler
helm.sh/chart: vertical-pod-autoscaler-1.7.1
name: vertical-pod-autoscaler-admission-controller
namespace: kube-system
resourceVersion: "21981196"
uid: f1e7e2d6-6924-4a77-8bc7-e4f9ee4d7d79
spec:
dnsNames:
- vertical-pod-autoscaler-admission-controller.kube-system
- vertical-pod-autoscaler-admission-controller.kube-system.svc
- vertical-pod-autoscaler-admission-controller.kube-system.svc.cluster.local
issuerRef:
kind: Issuer
name: vertical-pod-autoscaler-admission-controller-cert
secretName: vertical-pod-autoscaler-admission-controller-cert
status:
conditions:
- lastTransitionTime: "2024-09-11T17:13:37Z"
message: Certificate is up to date and has not expired
observedGeneration: 1
reason: Ready
status: "True"
type: Ready
notAfter: "2024-12-09T15:34:13Z"
notBefore: "2024-09-10T15:34:13Z"
renewalTime: "2024-11-09T15:34:13Z"
And the resulting secret:
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lSQUo1UnZRbUFEQ0ZpQVcraHR3YktjOEF3RFFZSktvWklodmNOQVFFTEJRQXcKQURBZUZ3MHlOREE1TVRBeE5UTTBNVE5hRncweU5ERXlNRGt4TlRNME1UTmFNQUF3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURjQjRTRFdFQkltRCtPL3BjYUp4bXN0VXZyWFZadzA4bGNhNTZRCnBXU1pVUndVd0xpcURVS1FMdENrWk9ubzFCM1BGQTg3ak55emQwa2JFb1UxSTJqK3Fsd2dCZzQyQ2hlSnFFaTIKNXk1RHl2TDRoL08zaXVDTjdjZlUvbldxMVEvN3J4ZTRSU0xYS3FxMXV5ZWx5RzBSR3ZGeE1RN1dEMHFOL2NhVwowNTdmdmQyOE5QUCs4MGVWaFNrR0tsUzF6My8zcjlpeVpDRllEUitGLzlaT3lHY2NNbWVkTnF3TEpNQ0hHckY2Ckc4eXdTV2pZRGxRMEZCb1VidXdKSFhCR0Q1UHA1d2hrbzJEL0k5dnFabGErVXh2Rk1FQjhKL2xuMGJZZ2JHbEMKZTBKK3Nkcmt6L296UTNWZDFyRWVBaS9oTlRHSUZuN1FUNEMrSTJsM3dzYnFVTmNsQWdNQkFBR2pnZll3Z2ZNdwpEZ1lEVlIwUEFRSC9CQVFEQWdXZ01Bd0dBMVVkRXdFQi93UUNNQUF3Z2RJR0ExVWRFUUVCL3dTQnh6Q0J4SUk0CmRtVnlkR2xqWVd3dGNHOWtMV0YxZEc5elkyRnNaWEl0WVdSdGFYTnphVzl1TFdOdmJuUnliMnhzWlhJdWEzVmkKWlMxemVYTjBaVzJDUEhabGNuUnBZMkZzTFhCdlpDMWhkWFJ2YzJOaGJHVnlMV0ZrYldsemMybHZiaTFqYjI1MApjbTlzYkdWeUxtdDFZbVV0YzNsemRHVnRMbk4yWTRKS2RtVnlkR2xqWVd3dGNHOWtMV0YxZEc5elkyRnNaWEl0CllXUnRhWE56YVc5dUxXTnZiblJ5YjJ4c1pYSXVhM1ZpWlMxemVYTjBaVzB1YzNaakxtTnNkWE4wWlhJdWJHOWoKWVd3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLK25UeWUyRWFkcGdSZ3BHTWlEcEVaclJ4VDBhcGZpcVBPLwpNbmpQS3JLbWYyNm90cjNvS3pxM0RmWkxJbXl0djRFcmdzVjR5d3A1S3R5UFNUdzhZTlBMLzNQWk9Xc1RyN2p1CnIwTXlWdXJNSlN3aGVOaXBDY0FtMFl2L2xmVjdTSVB5U0lhZHplUmxpUlFHMExBcGNkcDJvVUtkNEl4Wjc0THEKdEtjVEtScHlRbVpleFI3SzRvQ3BaQi9yeE45a0YyTkVWQk9FejlKZjZ1cXFNb1gvbXl3YjJQNWI3clEwdFd1MgpOb09WdDJkL0loL3U2N2oreUlkbko3QTJkbTg4QjNoVC8vaWZJc3Z6Ny96T3NJQ1dIVjlhYWsybUJQMFBGcVpHCnFFalZNMEl2V1NXZkVlV2R4NW1HVlNuRHBveFJJU2tBdnhXa2RZeVRFY0luTDlDbFU0TT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURnakNDQW1xZ0F3SUJBZ0lSQUo1UnZRbUFEQ0ZpQVcraHR3YktjOEF3RFFZSktvWklodmNOQVFFTEJRQXcKQURBZUZ3MHlOREE1TVRBeE5UTTBNVE5hRncweU5ERXlNRGt4TlRNME1UTmFNQUF3Z2dFaU1BMEdDU3FHU0liMwpEUUVCQVFVQUE0SUJEd0F3Z2dFS0FvSUJBUURjQjRTRFdFQkltRCtPL3BjYUp4bXN0VXZyWFZadzA4bGNhNTZRCnBXU1pVUndVd0xpcURVS1FMdENrWk9ubzFCM1BGQTg3ak55emQwa2JFb1UxSTJqK3Fsd2dCZzQyQ2hlSnFFaTIKNXk1RHl2TDRoL08zaXVDTjdjZlUvbldxMVEvN3J4ZTRSU0xYS3FxMXV5ZWx5RzBSR3ZGeE1RN1dEMHFOL2NhVwowNTdmdmQyOE5QUCs4MGVWaFNrR0tsUzF6My8zcjlpeVpDRllEUitGLzlaT3lHY2NNbWVkTnF3TEpNQ0hHckY2Ckc4eXdTV2pZRGxRMEZCb1VidXdKSFhCR0Q1UHA1d2hrbzJEL0k5dnFabGErVXh2Rk1FQjhKL2xuMGJZZ2JHbEMKZTBKK3Nkcmt6L296UTNWZDFyRWVBaS9oTlRHSUZuN1FUNEMrSTJsM3dzYnFVTmNsQWdNQkFBR2pnZll3Z2ZNdwpEZ1lEVlIwUEFRSC9CQVFEQWdXZ01Bd0dBMVVkRXdFQi93UUNNQUF3Z2RJR0ExVWRFUUVCL3dTQnh6Q0J4SUk0CmRtVnlkR2xqWVd3dGNHOWtMV0YxZEc5elkyRnNaWEl0WVdSdGFYTnphVzl1TFdOdmJuUnliMnhzWlhJdWEzVmkKWlMxemVYTjBaVzJDUEhabGNuUnBZMkZzTFhCdlpDMWhkWFJ2YzJOaGJHVnlMV0ZrYldsemMybHZiaTFqYjI1MApjbTlzYkdWeUxtdDFZbVV0YzNsemRHVnRMbk4yWTRKS2RtVnlkR2xqWVd3dGNHOWtMV0YxZEc5elkyRnNaWEl0CllXUnRhWE56YVc5dUxXTnZiblJ5YjJ4c1pYSXVhM1ZpWlMxemVYTjBaVzB1YzNaakxtTnNkWE4wWlhJdWJHOWoKWVd3d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFLK25UeWUyRWFkcGdSZ3BHTWlEcEVaclJ4VDBhcGZpcVBPLwpNbmpQS3JLbWYyNm90cjNvS3pxM0RmWkxJbXl0djRFcmdzVjR5d3A1S3R5UFNUdzhZTlBMLzNQWk9Xc1RyN2p1CnIwTXlWdXJNSlN3aGVOaXBDY0FtMFl2L2xmVjdTSVB5U0lhZHplUmxpUlFHMExBcGNkcDJvVUtkNEl4Wjc0THEKdEtjVEtScHlRbVpleFI3SzRvQ3BaQi9yeE45a0YyTkVWQk9FejlKZjZ1cXFNb1gvbXl3YjJQNWI3clEwdFd1MgpOb09WdDJkL0loL3U2N2oreUlkbko3QTJkbTg4QjNoVC8vaWZJc3Z6Ny96T3NJQ1dIVjlhYWsybUJQMFBGcVpHCnFFalZNMEl2V1NXZkVlV2R4NW1HVlNuRHBveFJJU2tBdnhXa2RZeVRFY0luTDlDbFU0TT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBM0FlRWcxaEFTSmcvanY2WEdpY1pyTFZMNjExV2NOUEpYR3Vla0tWa21WRWNGTUM0CnFnMUNrQzdRcEdUcDZOUWR6eFFQTzR6Y3MzZEpHeEtGTlNOby9xcGNJQVlPTmdvWGlhaEl0dWN1UThyeStJZnoKdDRyZ2plM0gxUDUxcXRVUCs2OFh1RVVpMXlxcXRic25wY2h0RVJyeGNURU8xZzlLamYzR2x0T2UzNzNkdkRUegovdk5IbFlVcEJpcFV0YzkvOTYvWXNtUWhXQTBmaGYvV1RzaG5IREpublRhc0N5VEFoeHF4ZWh2TXNFbG8yQTVVCk5CUWFGRzdzQ1Ixd1JnK1Q2ZWNJWktOZy95UGI2bVpXdmxNYnhUQkFmQ2Y1WjlHMklHeHBRbnRDZnJIYTVNLzYKTTBOMVhkYXhIZ0l2NFRVeGlCWiswRStBdmlOcGQ4TEc2bERYSlFJREFRQUJBb0lCQVFDbVY2Q2MwN2sxcUxSVQpYTERMZXNmMFE5T3ppb3J4SFl2YnJSamhiY2lTQ0RuY2pwNk5JUjB6ZDlFUWw2SW0vVVhUNmV4aUx1b2pXNGtQClNIOGdYemJmWU5mbzllc0VlN2l6djEvSnR4akk4OE9nbE5keDZUSSsyb2I2eGEwYmk1eGJ3RkdFWS9BbER3S2sKQld2Qjc3WlUrak9TU1c1WDhwT0FxVnpiWmYxMFUrVlF6cmJlbkZTY1M2cDM3aWdvdXpZVEozejMyWE4wWE9sdApFWW5BY1lYZVFBdGZUNkxYSHVjNkpXOHdRQ1NRTmVrQWdrUDg1VCsxQkJPSVZZc1N2R0x6MWlqNDFuSnNaMEVVCllYUEpBODRNNmJLY05XbkxYT2FjY1ByVHd1akdTSko2WEsvS2Z1cVNzb1d2YTVyelhVdzRSbXhjVVBuRFpPWjUKTDF0OXordjVBb0dCQU9ybzRJaGhKNzdVTFNYQmdqNE9YbUlFSVdrS1lQNkV0RDlLaGVmU0RJYmVWMU52bXg4Sgo3RjVyOTJQb05OaDM3WmZjUUg4NEtmMVd6VDBnUWl4SGxyL3BTc3hhVExyczJtdmxDOGF0c0NCQTJDZ1VIcnNhCnd2NFVUVHlvNXlDR3IwSGxWWmFYWFVoWnNwT3Vmc2Y0NXJ1SWZGbUpZUndkaXM0TUdmUGc2UG5mQW9HQkFPL0kKb2xRc0l5dEs5K1RUcWNzSmJqV0N1VHBZOU01OS9PS2Vtby9FZHZxSzJvWFNsNlRTQVp5MEtHbE92RmZvcHNCQwo1T3p1am9xRUF1RmpZN2R4TU0yTmpEUGNkWkpFZFpOM3hHYW5xRW5mN0lCLzR1K1M2UjAvL1VoMHdyUmFCNmhFCk83NmZqYnUvd2FiNnJCNklRSk1NanJQcFA0WUk0Ymc3RjJIdFNsZDdBb0dCQUp4Ym9ZaGxVclU4T1VqV1FzRFgKZzQ4dVBLYlVGN2VSMFFBSHRKV1hSR3RJOTBzOEVENWF0cEFxd1NJbzMzUHViNkVUSTRNS2VUaDlYR01CWThwaApaRUFkSW9KZTRJL1RNNWQ1ZjVzZzVRaXk0SzNjcG8vWHdrNm9hTGlsbkNJVVEvZFNsT09Gb0x1VnFMMlAraWRVCnp3K29TMHkxbW9QQ1RpL1Q4anBZUy9wMUFvR0FUck1sUkVjd1M5ZFJRWk9QR1FyQlYyTE9kSzRadTJSeWlkYlEKbC9zOXFjSEZNME1KYnBsVzJoM3ZYWkR3RkZKUjJLeWNBbi9SM1BpekVWTFR1Yk8yOXVCTWNnRWJ2YVFtaXY0MgpRaE1wRXdZaDA1TWw0c2Z2SnlDSGV5NkhjVFpUYVJEc0l3YXZPRDRaeXpwZkg2NU1zM2JkcDRNWXpGOUI1bnZPCmt0K1ZGTjBDZ1lBYThFZFJ2WnRPTVQxaUxLc3BweVZEZGVtMFFsOW1wUHBOZEdwMkNiNmUrblc5YmdWKzkyRUsKVHJDeWhobm01U1lzV0k4OHk4MHc1eDVHQzdMc0taUnpKc2ZTOXJTQkQ5OWt0RE00RVpGaDVyTmR3MVREcUZURwoxTG12c2tpZEM0Mk9TQUVNaFZjUVpqZ2NqeEczODdHcFp6S1BKRkpqTFlEQXlUeXcwcUtJaWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
kind: Secret
metadata:
annotations:
cert-manager.io/alt-names: vertical-pod-autoscaler-admission-controller.kube-system,vertical-pod-autoscaler-admission-controller.kube-system.svc,vertical-pod-autoscaler-admission-controller.kube-system.svc.cluster.local
cert-manager.io/certificate-name: vertical-pod-autoscaler-admission-controller
cert-manager.io/common-name: ""
cert-manager.io/ip-sans: ""
cert-manager.io/issuer-group: ""
cert-manager.io/issuer-kind: Issuer
cert-manager.io/issuer-name: vertical-pod-autoscaler-admission-controller-cert
cert-manager.io/uri-sans: ""
creationTimestamp: "2024-09-08T07:44:32Z"
labels:
controller.cert-manager.io/fao: "true"
name: vertical-pod-autoscaler-admission-controller-cert
namespace: kube-system
resourceVersion: "20891073"
uid: 48f2a61a-1476-4319-a4a9-38a718d4795e
type: kubernetes.io/tls
This is the log from the admission controller:
I0915 08:01:35.491726 1 flags.go:57] FLAG: --add-dir-header="false"
I0915 08:01:35.492953 1 flags.go:57] FLAG: --address=":8944"
I0915 08:01:35.492966 1 flags.go:57] FLAG: --alsologtostderr="false"
I0915 08:01:35.492976 1 flags.go:57] FLAG: --client-ca-file="/etc/tls-certs/ca.crt"
I0915 08:01:35.492985 1 flags.go:57] FLAG: --ignored-vpa-object-namespaces=""
I0915 08:01:35.492994 1 flags.go:57] FLAG: --kube-api-burst="10"
I0915 08:01:35.493006 1 flags.go:57] FLAG: --kube-api-qps="5"
I0915 08:01:35.493026 1 flags.go:57] FLAG: --kubeconfig=""
I0915 08:01:35.493035 1 flags.go:57] FLAG: --log-backtrace-at=":0"
I0915 08:01:35.493058 1 flags.go:57] FLAG: --log-dir=""
I0915 08:01:35.493068 1 flags.go:57] FLAG: --log-file=""
I0915 08:01:35.493076 1 flags.go:57] FLAG: --log-file-max-size="1800"
I0915 08:01:35.493088 1 flags.go:57] FLAG: --logtostderr="true"
I0915 08:01:35.493096 1 flags.go:57] FLAG: --min-tls-version="tls1_2"
I0915 08:01:35.493105 1 flags.go:57] FLAG: --one-output="false"
I0915 08:01:35.493114 1 flags.go:57] FLAG: --port="8000"
I0915 08:01:35.493124 1 flags.go:57] FLAG: --register-by-url="false"
I0915 08:01:35.493132 1 flags.go:57] FLAG: --register-webhook="false"
I0915 08:01:35.493142 1 flags.go:57] FLAG: --reload-cert="true"
I0915 08:01:35.493151 1 flags.go:57] FLAG: --skip-headers="false"
I0915 08:01:35.493159 1 flags.go:57] FLAG: --skip-log-headers="false"
I0915 08:01:35.493170 1 flags.go:57] FLAG: --stderrthreshold="2"
I0915 08:01:35.493178 1 flags.go:57] FLAG: --tls-cert-file="/etc/tls-certs/tls.crt"
I0915 08:01:35.493193 1 flags.go:57] FLAG: --tls-ciphers=""
I0915 08:01:35.493202 1 flags.go:57] FLAG: --tls-private-key="/etc/tls-certs/tls.key"
I0915 08:01:35.493212 1 flags.go:57] FLAG: --v="5"
I0915 08:01:35.493221 1 flags.go:57] FLAG: --vmodule=""
I0915 08:01:35.493237 1 flags.go:57] FLAG: --vpa-object-namespace=""
I0915 08:01:35.493246 1 flags.go:57] FLAG: --webhook-address=""
I0915 08:01:35.493256 1 flags.go:57] FLAG: --webhook-port=""
I0915 08:01:35.493264 1 flags.go:57] FLAG: --webhook-service="vpa-webhook"
I0915 08:01:35.493272 1 flags.go:57] FLAG: --webhook-timeout-seconds="30"
I0915 08:01:35.494562 1 main.go:87] Vertical Pod Autoscaler 1.2.1 Admission Controller
I0915 08:01:35.504175 1 reflector.go:289] Starting reflector *v1.VerticalPodAutoscaler (1h0m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/vpa/api.go:90
I0915 08:01:35.504371 1 reflector.go:325] Listing and watching *v1.VerticalPodAutoscaler from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/vpa/api.go:90
I0915 08:01:35.697590 1 shared_informer.go:341] caches populated
I0915 08:01:35.697649 1 api.go:94] Initial VPA synced successfully
I0915 08:01:35.717300 1 discovery.go:214] Invalidating discovery information
I0915 08:01:35.718598 1 reflector.go:289] Starting reflector *v1.Job (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:35.718652 1 reflector.go:325] Listing and watching *v1.Job from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:35.919350 1 shared_informer.go:341] caches populated
I0915 08:01:35.919468 1 fetcher.go:99] Initial sync of Job completed
I0915 08:01:35.919834 1 reflector.go:289] Starting reflector *v1.CronJob (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:35.919869 1 reflector.go:325] Listing and watching *v1.CronJob from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.020312 1 shared_informer.go:341] caches populated
I0915 08:01:36.020361 1 fetcher.go:99] Initial sync of CronJob completed
I0915 08:01:36.020719 1 reflector.go:289] Starting reflector *v1.DaemonSet (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.020740 1 reflector.go:325] Listing and watching *v1.DaemonSet from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.121330 1 shared_informer.go:341] caches populated
I0915 08:01:36.121382 1 fetcher.go:99] Initial sync of DaemonSet completed
I0915 08:01:36.121727 1 reflector.go:289] Starting reflector *v1.Deployment (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.121760 1 reflector.go:325] Listing and watching *v1.Deployment from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.221553 1 shared_informer.go:341] caches populated
I0915 08:01:36.221604 1 fetcher.go:99] Initial sync of Deployment completed
I0915 08:01:36.221901 1 reflector.go:289] Starting reflector *v1.ReplicaSet (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.221938 1 reflector.go:325] Listing and watching *v1.ReplicaSet from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.527384 1 shared_informer.go:341] caches populated
I0915 08:01:36.527431 1 fetcher.go:99] Initial sync of ReplicaSet completed
I0915 08:01:36.527743 1 reflector.go:289] Starting reflector *v1.StatefulSet (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.527777 1 reflector.go:325] Listing and watching *v1.StatefulSet from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.628785 1 shared_informer.go:341] caches populated
I0915 08:01:36.628853 1 fetcher.go:99] Initial sync of StatefulSet completed
I0915 08:01:36.629272 1 reflector.go:289] Starting reflector *v1.ReplicationController (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.629304 1 reflector.go:325] Listing and watching *v1.ReplicationController from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94
I0915 08:01:36.729855 1 shared_informer.go:341] caches populated
I0915 08:01:36.729897 1 fetcher.go:99] Initial sync of ReplicationController completed
I0915 08:01:36.730363 1 shared_informer.go:341] caches populated
I0915 08:01:36.730434 1 controller_fetcher.go:141] Initial sync of Deployment completed
I0915 08:01:36.730462 1 shared_informer.go:341] caches populated
I0915 08:01:36.730491 1 controller_fetcher.go:141] Initial sync of ReplicaSet completed
I0915 08:01:36.730507 1 shared_informer.go:341] caches populated
I0915 08:01:36.730518 1 controller_fetcher.go:141] Initial sync of StatefulSet completed
I0915 08:01:36.730530 1 shared_informer.go:341] caches populated
I0915 08:01:36.730542 1 controller_fetcher.go:141] Initial sync of ReplicationController completed
I0915 08:01:36.730553 1 shared_informer.go:341] caches populated
I0915 08:01:36.730578 1 controller_fetcher.go:141] Initial sync of Job completed
I0915 08:01:36.730591 1 shared_informer.go:341] caches populated
I0915 08:01:36.730602 1 controller_fetcher.go:141] Initial sync of CronJob completed
I0915 08:01:36.730614 1 shared_informer.go:341] caches populated
I0915 08:01:36.730626 1 controller_fetcher.go:141] Initial sync of DaemonSet completed
I0915 08:01:36.730737 1 discovery.go:214] Invalidating discovery information
W0915 08:01:36.730794 1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730807 1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730822 1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730850 1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730856 1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730860 1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
W0915 08:01:36.730950 1 shared_informer.go:459] The sharedIndexInformer has started, run more than once is not allowed
I0915 08:01:36.731314 1 reflector.go:289] Starting reflector *v1.LimitRange (10m0s) from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/limitrange/limit_range_calculator.go:60
I0915 08:01:36.731346 1 reflector.go:325] Listing and watching *v1.LimitRange from k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/limitrange/limit_range_calculator.go:60
I0915 08:01:36.831153 1 shared_informer.go:341] caches populated
2024/09/15 08:03:58 http: TLS handshake error from 10.42.0.0:36068: remote error: tls: bad certificate
I0915 08:06:35.718484 1 discovery.go:214] Invalidating discovery information
I0915 08:06:36.731460 1 discovery.go:214] Invalidating discovery information
I0915 08:07:16.941518 1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.CronJob total 6 items received
I0915 08:07:17.074882 1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.DaemonSet total 7 items received
I0915 08:07:30.842187 1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.Job total 13 items received
I0915 08:08:10.657361 1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.ReplicationController total 8 items received
I0915 08:08:18.769606 1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/utils/limitrange/limit_range_calculator.go:60: Watch close - *v1.LimitRange total 8 items received
I0915 08:08:51.451660 1 reflector.go:790] k8s.io/autoscaler/vertical-pod-autoscaler/pkg/target/fetcher.go:94: Watch close - *v1.ReplicaSet total 13 items received
2024/09/15 08:10:00 http: TLS handshake error from 10.42.0.0:37660: remote error: tls: bad certificate
2024/09/15 08:10:00 http: TLS handshake error from 10.42.0.0:37676: remote error: tls: bad certificate
2024/09/15 08:10:00 http: TLS handshake error from 10.42.0.0:37666: remote error: tls: bad certificate
2024/09/15 08:10:01 http: TLS handshake error from 10.42.0.0:37692: remote error: tls: bad certificate
2024/09/15 08:10:01 http: TLS handshake error from 10.42.0.0:37694: remote error: tls: bad certificate
And finally, this is what happens when I unpack the certificate from the secret and try to validate it:
+ kubectl -n kube-system get secret vertical-pod-autoscaler-admission-controller-cert -o json '-o=jsonpath={.data.ca\.crt}'
+ base64 -d
+ kubectl -n kube-system get secret vertical-pod-autoscaler-admission-controller-cert -o json '-o=jsonpath={.data.tls\.crt}'
+ base64 -d
+ kubectl -n kube-system get secret vertical-pod-autoscaler-admission-controller-cert -o json '-o=jsonpath={.data.tls\.key}'
+ base64 -d
+ openssl x509 -in ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9e:51:bd:09:80:0c:21:62:01:6f:a1:b7:06:ca:73:c0
Signature Algorithm: sha256WithRSAEncryption
Issuer:
Validity
Not Before: Sep 10 15:34:13 2024 GMT
Not After : Dec 9 15:34:13 2024 GMT
Subject:
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:dc:07:84:83:58:40:48:98:3f:8e:fe:97:1a:27:
19:ac:b5:4b:eb:5d:56:70:d3:c9:5c:6b:9e:90:a5:
64:99:51:1c:14:c0:b8:aa:0d:42:90:2e:d0:a4:64:
e9:e8:d4:1d:cf:14:0f:3b:8c:dc:b3:77:49:1b:12:
85:35:23:68:fe:aa:5c:20:06:0e:36:0a:17:89:a8:
48:b6:e7:2e:43:ca:f2:f8:87:f3:b7:8a:e0:8d:ed:
c7:d4:fe:75:aa:d5:0f:fb:af:17:b8:45:22:d7:2a:
aa:b5:bb:27:a5:c8:6d:11:1a:f1:71:31:0e:d6:0f:
4a:8d:fd:c6:96:d3:9e:df:bd:dd:bc:34:f3:fe:f3:
47:95:85:29:06:2a:54:b5:cf:7f:f7:af:d8:b2:64:
21:58:0d:1f:85:ff:d6:4e:c8:67:1c:32:67:9d:36:
ac:0b:24:c0:87:1a:b1:7a:1b:cc:b0:49:68:d8:0e:
54:34:14:1a:14:6e:ec:09:1d:70:46:0f:93:e9:e7:
08:64:a3:60:ff:23:db:ea:66:56:be:53:1b:c5:30:
40:7c:27:f9:67:d1:b6:20:6c:69:42:7b:42:7e:b1:
da:e4:cf:fa:33:43:75:5d:d6:b1:1e:02:2f:e1:35:
31:88:16:7e:d0:4f:80:be:23:69:77:c2:c6:ea:50:
d7:25
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name: critical
DNS:vertical-pod-autoscaler-admission-controller.kube-system, DNS:vertical-pod-autoscaler-admission-controller.kube-system.svc, DNS:vertical-pod-autoscaler-admission-controller.kube-system.svc.cluster.local
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
af:a7:4f:27:b6:11:a7:69:81:18:29:18:c8:83:a4:46:6b:47:
14:f4:6a:97:e2:a8:f3:bf:32:78:cf:2a:b2:a6:7f:6e:a8:b6:
bd:e8:2b:3a:b7:0d:f6:4b:22:6c:ad:bf:81:2b:82:c5:78:cb:
0a:79:2a:dc:8f:49:3c:3c:60:d3:cb:ff:73:d9:39:6b:13:af:
b8:ee:af:43:32:56:ea:cc:25:2c:21:78:d8:a9:09:c0:26:d1:
8b:ff:95:f5:7b:48:83:f2:48:86:9d:cd:e4:65:89:14:06:d0:
b0:29:71:da:76:a1:42:9d:e0:8c:59:ef:82:ea:b4:a7:13:29:
1a:72:42:66:5e:c5:1e:ca:e2:80:a9:64:1f:eb:c4:df:64:17:
63:44:54:13:84:cf:d2:5f:ea:ea:aa:32:85:ff:9b:2c:1b:d8:
fe:5b:ee:b4:34:b5:6b:b6:36:83:95:b7:67:7f:22:1f:ee:eb:
b8:fe:c8:87:67:27:b0:36:76:6f:3c:07:78:53:ff:f8:9f:22:
cb:f3:ef:fc:ce:b0:80:96:1d:5f:5a:6a:4d:a6:04:fd:0f:16:
a6:46:a8:48:d5:33:42:2f:59:25:9f:11:e5:9d:c7:99:86:55:
29:c3:a6:8c:51:21:29:00:bf:15:a4:75:8c:93:11:c2:27:2f:
d0:a5:53:83
+ openssl x509 -noout -modulus -in ca.crt
+ openssl md5
MD5(stdin)= 41d30e57a951435349447219a22b0b8c
+ openssl x509 -noout -modulus -in tls.crt
+ openssl md5
MD5(stdin)= 41d30e57a951435349447219a22b0b8c
+ openssl rsa -noout -modulus -in tls.key
+ openssl md5
MD5(stdin)= 41d30e57a951435349447219a22b0b8c
+ openssl rsa -check -in tls.key
writing RSA key
RSA key ok
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDcB4SDWEBImD+O
/pcaJxmstUvrXVZw08lca56QpWSZURwUwLiqDUKQLtCkZOno1B3PFA87jNyzd0kb
EoU1I2j+qlwgBg42CheJqEi25y5DyvL4h/O3iuCN7cfU/nWq1Q/7rxe4RSLXKqq1
uyelyG0RGvFxMQ7WD0qN/caW057fvd28NPP+80eVhSkGKlS1z3/3r9iyZCFYDR+F
/9ZOyGccMmedNqwLJMCHGrF6G8ywSWjYDlQ0FBoUbuwJHXBGD5Pp5whko2D/I9vq
Zla+UxvFMEB8J/ln0bYgbGlCe0J+sdrkz/ozQ3Vd1rEeAi/hNTGIFn7QT4C+I2l3
wsbqUNclAgMBAAECggEBAKZXoJzTuTWotFRcsMt6x/RD07OKivEdi9utGOFtyJII
OdyOno0hHTN30RCXoib9RdPp7GIu6iNbiQ9IfyBfNt9g1+j16wR7uLO/X8m3GMjz
w6CU13HpMj7ahvrFrRuLnFvAUYRj8CUPAqQFa8HvtlT6M5JJblfyk4CpXNtl/XRT
5VDOtt6cVJxLqnfuKCi7NhMnfPfZc3Rc6W0RicBxhd5AC19Potce5zolbzBAJJA1
6QCCQ/zlP7UEE4hVixK8YvPWKPjWcmxnQRRhc8kDzgzpspw1actc5pxw+tPC6MZI
knpcr8p+6pKyha9rmvNdTDhGbFxQ+cNk5nkvW33P6/kCgYEA6ujgiGEnvtQtJcGC
Pg5eYgQhaQpg/oS0P0qF59IMht5XU2+bHwnsXmv3Y+g02Hftl9xAfzgp/VbNPSBC
LEeWv+lKzFpMuuzaa+ULxq2wIEDYKBQeuxrC/hRNPKjnIIavQeVVlpddSFmyk65+
x/jmu4h8WYlhHB2KzgwZ8+Do+d8CgYEA78iiVCwjK0r35NOpywluNYK5Olj0zn38
4p6aj8R2+orahdKXpNIBnLQoaU68V+imwELk7O6OioQC4WNjt3EwzY2MM9x1kkR1
k3fEZqeoSd/sgH/i75LpHT/9SHTCtFoHqEQ7vp+Nu7/BpvqsHohAkwyOs+k/hgjh
uDsXYe1KV3sCgYEAnFuhiGVStTw5SNZCwNeDjy48ptQXt5HRAAe0lZdEa0j3SzwQ
Plq2kCrBIijfc+5voRMjgwp5OH1cYwFjymFkQB0igl7gj9Mzl3l/myDlCLLgrdym
j9fCTqhouKWcIhRD91KU44Wgu5WovY/6J1TPD6hLTLWag8JOL9PyOlhL+nUCgYBO
syVERzBL11FBk48ZCsFXYs50rhm7ZHKJ1tCX+z2pwcUzQwlumVbaHe9dkPAUUlHY
rJwCf9Hc+LMRUtO5s7b24ExyARu9pCaK/jZCEykTBiHTkyXix+8nIId7LodxNlNp
EOwjBq84PhnLOl8frkyzdt2ngxjMX0Hme86S35UU3QKBgBrwR1G9m04xPWIsqymn
JUN16bRCX2ak+k10anYJvp76db1uBX73YQpOsLKGGeblJixYjzzLzTDnHkYLsuwp
lHMmx9L2tIEP32S0MzgRkWHms13DVMOoVMbUua+ySJ0LjY5IAQyFVxBmOByPEbfz
salnMo8kUmMtgMDJPLDSooiK
-----END PRIVATE KEY-----
+ openssl x509 -noout -dates -in ca.crt
notBefore=Sep 10 15:34:13 2024 GMT
notAfter=Dec 9 15:34:13 2024 GMT
+ openssl x509 -noout -dates -in tls.crt
notBefore=Sep 10 15:34:13 2024 GMT
notAfter=Dec 9 15:34:13 2024 GMT
